Contents
A WhatsApp message says you've won a prize. "Congratulations! Participate in this survey and win E£19,000." It carries a familiar logo — your bank, your telecom, a soft-drink brand — and a link to a slick mobile page that asks four friendly questions before requesting your phone number, a one-time code, and your card details to "claim" the reward.
That page is phishing, and it belongs to a sprawling operation we track as PrizeBuzz: a phishing-as-a-service network that runs one configurable "prize survey" kit across 318 disposable .buzz domains to impersonate roughly 29 brands across the Middle East, Africa, and Latin America. The lure that triggered this analysis impersonated OMT (a Lebanese money-transfer company) on xjxtg.buzz — but OMT is just one face of the kit. The same software clones Coca-Cola, Vodafone, Pepsi, Mercado Pago, Starbucks, Zain, and more, swapping brands from a config file.
Every PrizeBuzz domain is fronted by Cloudflare, distributed over WhatsApp, and engineered to vanish and respawn the moment it is taken down. This report shows how the kit is built, how it clones any brand, how it hides from researchers, the full indicator list for defenders, and what targeted brands should do about it.
| At a glance | |
|---|---|
| Name | PrizeBuzz — a .buzz prize-survey phishing-as-a-service kit |
| Lures | Fake "win a prize / answer a survey" pages stealing phone, OTP, and card data |
| Scale | 318 .buzz domains enumerated (173 live), ~29 brands impersonated |
| Lead example | OMT phishing (xjxtg.buzz, prior slot wqbgj.buzz) |
| Hosting | Cloudflare on every domain (free DNS + reverse proxy + TLS + edge cache) |
| Registrars | Spaceship, NameSilo (budget, fast registration) |
| Delivery | WhatsApp (s=wa link parameter) with spoofed link previews |
| Kit fingerprint | GET /base.json → code: 1100 (brand-agnostic, strongest signal) |
The PrizeBuzz lure: a fake prize on a throwaway domain
PrizeBuzz runs the oldest playbook in scam-land — a prize you never entered to win. The victim gets a WhatsApp message with a branded link preview and taps through to a mobile page showing the brand's logo, a "Congratulations!" banner, a photo, and a four-question "survey." Answer the questions, scroll past fake testimonials, and the flow asks for a phone number, a one-time code, and ultimately card or account details to "claim" the prize.
We captured the live OMT page on 2026-06-15. It only renders if you request the tokenized path (/bKLsmXm); request the bare domain as a researcher and the server returns a blank decoy (a 404code… token) — the first hint at how carefully this operation hides.
xjxtg.buzz) and a Coca-Cola version (right, ucdkx.buzz). It is the same kit, recolored and re-captioned from a config file: identical "Congratulations!" header, four-question survey, and E£19,000 prize.One kit, 29 brands
The most important finding is in Figure 1: the OMT page and the Coca-Cola page are the same software. The layout, the "Congratulations!" header, the four-question survey, the prize amount, the fake comment section — all identical, just recolored and re-worded per brand.
That is because the page is a Vite-built single-page app, not a static HTML form. The HTML you receive is a 4.8 KB shell: a spinner, an empty <div id="app">, and a script bundle. The shell fetches a config file, /base.json, and renders whatever brand, country, currency, and copy that JSON specifies. One codebase impersonates OMT in Lebanon, Coca-Cola across Latin America, and Vodafone across the Arab world, with no code changes — only a different config.
This is what "phishing-as-a-service" means in practice: the brand is a parameter. Swapping victims from a Lebanese money-transfer company to a global beverage giant is a one-line edit, which is exactly why PrizeBuzz sprawls across ~29 brands and 318 domains.
How PrizeBuzz hides (cloaking + Cloudflare)
Three layers of evasion keep this network alive far longer than a typical phishing site:
Cloaking. The static HTML is deliberately generic. The phishing page only materializes if /base.json returns code: 1100 for your specific request. The server weighs the geo, the locale, the numeric victim token in the URL (e.g. ?0611855385310511618), and the #<unix-ms> fragment, then decides: right country, fresh token, mobile browser → serve the lure; bot, security crawler, wrong geo, or reused token → serve ads or a blank decoy. This is why automated sandboxes frequently report "nothing malicious" on these domains.
Cloudflare on every domain. Each .buzz domain sits behind Cloudflare's free plan, which does triple duty for the attacker: it hides the origin server's real IP, supplies free automatic TLS (so the padlock looks legitimate), and edge-caches the kit so the page survives even if the origin is taken down. Each domain is placed on a different Cloudflare account, spreading the footprint so a single abuse report rarely kills more than one site.
Disposable, DGA-style domains. The entry points are five random lowercase letters plus .buzz (xjxtg, wqbgj, ucdkx…), registered in bulk through budget registrars and rotated continuously. Combined with the one-time victim tokens, every malicious URL is unique and short-lived, so full-URL blocklists age out almost instantly.
The result is a network built for whack-a-mole. Kill xjxtg.buzz and the kit, the config, the ad layer, and the WhatsApp blast simply move to the next five-letter .buzz. OMT impersonation alone has run for 8-plus months across at least two domains: wqbgj.buzz (registered 2025-10-28, NameSilo) rotated to xjxtg.buzz (registered 2026-05-09, Spaceship) — same brand config, different registrar and Cloudflare account.
Two scam kits, one operator
PrizeBuzz infrastructure runs two distinct money-makers, both identifiable by the /base.json → code: 1100 fingerprint and both carrying an ads monetization block:
- Kit A — brand impersonation. The prize/survey credential-and-card theft described above. Its config schema is
{version, code, ads, countryRules, defaultConfig{brand,pageColor}, IncomeConfig, currencyInfo}. The impersonated brand sits indefaultConfig.brand. Roughly 44 live domains, ~29 brands. - Kit B — "earn money / task wages" investment scam. A fake earning platform (deposit-then-payout fraud) with no brand field; its config keys
show_payment_proof,show_payout_methods, andphone_input_modeare the tells. Around 127 live domains usingclick…wages,click…spark, and…starname patterns.
Even non-victims are monetized: traffic that fails the cloaking check is redirected to .top advertising domains (hnec.top, sfum.top, hopk.top, utm_campaign=m01001), so the operator earns from researchers and the wrong-geo crowd too.
Brands impersonated by PrizeBuzz
Each live domain's /base.json was probed on 2026-06-15 to read its defaultConfig.brand. OMT, Coca-Cola, Vodafone, Mercado Pago, and Starbucks were confirmed firsthand; the rest are from the enumerated set. This is the list brands need for takedown and customer warnings.
| Brand | Sector · region | Live phishing domain(s) |
|---|---|---|
| OMT | Money transfer · Lebanon | xjxtg.buzz, wqbgj.buzz |
| Coca-Cola | Beverage promo · global | ucdkx.buzz, nhvhe.buzz, prskm.buzz, xdmnr.buzz, cyeai.buzz |
| Mercado Pago | Fintech · Latin America | bfhix.buzz, ausnb.buzz, undcz.buzz |
| Vodafone (فودافون) | Telecom · MENA | pqovo.buzz, mxqec.buzz, mybfm.buzz |
| K-Card (كي كارد) | Prepaid card · MENA | evyus.buzz, hufyq.buzz, sluoh.buzz |
| Empresas Polar | FMCG · Venezuela | igouo.buzz, ulkcp.buzz |
| Inca Kola | Beverage · Peru | dupei.buzz, pquxn.buzz |
| TotalEnergies | Energy · global | ocsvp.buzz, bnfxn.buzz |
| Zain | Telecom · MENA | efcpd.buzz, aacqh.buzz |
| 7Up | Beverage promo | ppcqs.buzz |
| Arab Bank | Bank · MENA | jagpt.buzz |
| Bank of Africa (BOA) | Bank · Africa | pevym.buzz |
| Bank of Khartoum | Bank · Sudan | zapwu.buzz |
| Bodega Aurrera | Retail · Mexico | mcpfv.buzz |
| Capitec | Bank · South Africa | ggajw.buzz |
| Entel | Telecom · Chile/Peru | leere.buzz |
| Flow | Telecom · Caribbean | theasdaww.buzz |
| GraceKennedy | FMCG/finance · Jamaica | tutxx.buzz |
| Harina P.A.N. | FMCG · Venezuela | mzyrb.buzz |
| Heinz | FMCG promo | akssd.buzz |
| Massy Stores | Retail · Caribbean | qiuwi.buzz |
| Mercado Libre | E-commerce · Latin America | cszgt.buzz |
| Pepsi | Beverage promo | icxya.buzz |
| Siga (سيقا) | FMCG · MENA | rpnoh.buzz |
| Spar | Retail · global | kfack.buzz |
| Starbucks | Retail promo · global | nhvyu.buzz |
| Syriatel | Telecom · Syria | ybcii.buzz |
| Telebirr | Mobile money · Ethiopia | psvqd.buzz |
| Tuti | Retail/fintech | ogawn.buzz |
| Earn-money scam (Kit B) | Not brand-specific | 127 domains (click*wages, click*spark, *star) |
The PrizeBuzz fingerprint: /base.json returns code 1100
The strongest, brand-agnostic way to confirm a domain is part of PrizeBuzz is to read its config. Probing the OMT domain on 2026-06-15 returned, verbatim:
GET https://xjxtg.buzz/base.json
{
"version": "5.09",
"code": 1100,
"ads": ["sfaehe.buzz","lnczfe.buzz","ohtdaw.buzz","hvxfzw.buzz","nvzeag.buzz"],
"countryRules": { "defaultCountry": "lb", "rules": [] },
"defaultConfig": { "brand": "OMT", "displayLogo": 1, "displayFooter": 1, ... }
}
code: 1100 plus the schema keys is the operator's signature. It is far more reliable than visual similarity, because the kit cloaks — a screenshot tool sees a decoy, but the config does not lie. (Note the ads array even leaks five fresh .buzz ad/fallback domains the operator is rotating.)
How to detect PrizeBuzz
For brand-protection and detection teams, layer three checks:
Tier 1 — passive scoring (cheap, run on any candidate domain). Flag short, DGA-style names on cheap TLDs behind Cloudflare with a young registration age and a WhatsApp distribution marker:
name: ^([a-z]{5}|click[a-z0-9]+(wages|spark)|[a-z]+star)\.(buzz|top|sbs|cyou|icu|xyz)$
nameservers: \.ns\.cloudflare\.com
registrar: {Spaceship, NameSilo, Namecheap, …} # budget
age: < 60 days
url param: (?:^|&)s=wa(?:&|$) # WhatsApp distribution
→ HIGH confidence when 3+ match
Tier 2 — active probe (confirms the PrizeBuzz kit, brand-agnostic). GET /base.json and check for 200 / application/json / code == 1100 plus either kit's key set. Also probe /static/js/<8char>.js and /metaconfig/images/<locale>/01.jpg.
Tier 3 — brand match. Read /base.json → defaultConfig.brand to attribute the lure to OMT (or any brand) for notification, plus countryRules and currencyInfo for the target geo.
Discovery pivots: urlscan.io searches for page.url:"s=wa" AND domain:buzz and filename:"base.json"; certificate-transparency logs (crt.sh) for new five-letter .buzz certificates; and the shared .top ad layer (hnec/sfum/hopk.top, utm_campaign=m01001) to find the operator's other campaigns.
Indicators of compromise (IoCs)
Defanged with [.] — re-fang before loading into tooling. Defensive analysis only; no victim data was retrieved or reproduced.
| Type | Indicator | Notes |
|---|---|---|
| Lead OMT domain | xjxtg[.]buzz (live), wqbgj[.]buzz |
OMT phishing, rotated 8+ months |
| Confirmed-live brand domains | ucdkx[.]buzz (Coca-Cola), pqovo[.]buzz (Vodafone), bfhix[.]buzz (Mercado Pago), nhvyu[.]buzz (Starbucks), icxya[.]buzz (Pepsi) |
Kit A |
| Kit fingerprint | GET /base.json → code: 1100 |
Plus the two schemas above |
| Ad/fallback domains | sfaehe[.]buzz, lnczfe[.]buzz, ohtdaw[.]buzz, hvxfzw[.]buzz, nvzeag[.]buzz |
From the live config |
| Ad/monetization (Tier filter) | hnec[.]top, sfum[.]top, hopk[.]top, utm_campaign=m01001 |
Non-victim redirect |
| Asset paths | /static/js/<8char>.js, /static/css/<8char>.css, /metaconfig/images/<locale>/01.jpg |
— |
| URL shape | https://<5char>.buzz/<6-8char>/<cc>-<lang>?<numeric-token>&s=wa#<unix-ms> |
One-time victim link |
| Infrastructure | Cloudflare NS (*.ns.cloudflare.com), Cloudflare IPs 104.21.x / 172.67.x, Google Trust Services WE1 TLS, registrars Spaceship / NameSilo |
Origin hidden |
| Exfiltration reference | Telegram | From kit config/family |
The full enumeration of 318 domains (173 live, 145 dead) is maintained in the campaign IoC file and shared with affected brands on request.
What customers and impersonated brands should do
If you're a customer of OMT, Vodafone, or any targeted brand: treat any WhatsApp message promising a cash prize, gift, or survey reward as a scam. Real money-transfer and telecom companies do not run "answer four questions and win E£19,000" giveaways over forwarded WhatsApp links. Never enter your phone number, one-time code, or card details on a page reached from such a message, and check that the address is the company's real domain — not a five-letter .buzz site.
If you're an impersonated brand: per-domain takedown is whack-a-mole against PrizeBuzz by design. The durable defense is fingerprint-based detection plus continuous takedown:
- Hunt for the
code: 1100kit fingerprint and the.buzz/ cheap-TLD short-DGA pattern, not just exact URLs. - Monitor certificate-transparency logs to catch new domains before the WhatsApp blast goes out.
- Run takedowns through both the registrar (Spaceship / NameSilo) and Cloudflare's abuse process, since Cloudflare fronting and edge caching keep origin-level action from working alone.
- Watch trusted-platform and cheap-TLD abuse, because reputation filters that only flag "shady" TLDs will miss Cloudflare-fronted
.buzzsites with valid TLS.
How PhishEye helps
PrizeBuzz is exactly the threat PhishEye is built to counter: a brand's identity cloned into a kit, deployed across hundreds of disposable lookalike domains, fronted by Cloudflare, and pushed over WhatsApp.
PhishEye continuously discovers lookalike and impersonation domains — including short-DGA .buzz and cheap-TLD permutations — and confirms them with active HTTP probing (a /base.json → code: 1100 check is far higher-confidence than visual similarity, since the kit cloaks). It then ships evidence and runs coordinated takedowns through registrars and Cloudflare in parallel, and pairs dark-web and AI monitoring to catch the credentials and card data that surface after a successful steal. A certificate-transparency monitor is the right place to catch these domains before the blast — and you can gut-check any suspicious link yourself with the free phishing URL checker.
Frequently asked questions
What is PrizeBuzz?
PrizeBuzz is the name we use for a phishing-as-a-service operation that runs one configurable "prize survey" kit across 318 disposable .buzz domains to impersonate OMT and ~28 other brands. The same software renders any brand from a JSON config file, hides behind Cloudflare, and is distributed over WhatsApp.
Is the OMT prize message real?
No. The "OMT - Ashura Gifts!" / "win E£19,000" message circulating on WhatsApp is an OMT phishing scam — one brand inside the PrizeBuzz network. OMT does not run prize surveys over forwarded WhatsApp links. The page (on domains like xjxtg.buzz) is designed to steal your phone number, one-time code, and card details.
Why do security scanners say these domains are clean? Because the kit cloaks. It serves the phishing page only to a likely victim (right country, fresh one-time token, mobile browser) and serves ads or a blank decoy to bots, crawlers, and researchers — so automated scanners often see "nothing."
How can I tell if a domain belongs to PrizeBuzz?
Request its /base.json. If it returns code: 1100 with the brand-impersonation or earn-money schema, it is this kit — regardless of what the visible page shows.
My brand is on the list — what should I do? Move to continuous, fingerprint-based detection and run takedowns through both the registrar and Cloudflare. PhishEye detects and removes these impersonation domains at scale; you can also remove a single page using our guide on how to take down a phishing website.
References
- The Hacker News — INTERPOL Takes Down Sniper Dz Phishing Platform (related phishing-as-a-service takedown)
- PhishEye — SniperDz: Phishing-as-a-Service, Dismantled
- PhishEye — How to take down a phishing website